As US drops “cyber bombs,” ISIS retools its own cyber army

The Islamic State has been deft in its use of the Internet as a communications tool. ISIS has long leveraged social media to spread propaganda and even coordinate targets for attacks, using an ever-shifting collection of social media accounts for recruitment and even to call for attacks on individuals ISIS leaders have designated as enemies. But the organization’s efforts to build a sophisticated internal “cyber army” to conduct information warfare against the US and other powers opposing it have thus far been fragmented and limited in their effectiveness—and more often than not they’ve been more propaganda than substance.

Now, ISIS is taking another crack at building a more credible cyber force. As analysts from Flashpoint note in a report being published today (entitled “Hacking for ISIS: The Emergent Cyber Threat Landscape”), ISIS earlier this month apparently merged four separate pro-ISIS “cyber” teams into a single group called the United Cyber Caliphate.

“Until recently, our analysis of the group’s overall capabilities indicated that they were neither advanced nor did they demonstrate sophisticated targeting,” said Laith Alkhouri, director of Research & Analysis for the Middle East and North Africa and a cofounder of Flashpoint. “With the latest unification of multiple pro-ISIS cyber groups under one umbrella, there now appears to be a higher interest and willingness amongst ISIS supporters in coordinating and elevating cyber attacks against governments and companies.”

But interest and willingness do not necessarily equal capability. There is room for doubt about the authenticity of this group thanks to mixed messages broadcast over Telegram (ISIS’ preferred secure communications channel for propaganda and recruitment) and Twitter. And ISIS’ hacking efforts so far have been less than sophisticated, with the most recent “wins” being a compromise of the Twitter and YouTube accounts of the US Central Command (CENTCOM) and Newsweek in January 2015.

One-trick pony

ISIS’ early efforts to create a hacking unit, the Cyber Caliphate Army, began in the summer of 2014. Led, and possibly consisting entirely of Junaid Hussain, a hacker from Birmingham, England, and a former leading member of the black hat “security research group” TeaMp0isoN. Hussain, then known as “TriCK,” was arrested in 2012. He joined ISIS shortly after his release, taking the name Abu Hussain al Britani. From the summer of 2014 until Hussain was taken out by a drone strike in August of 2015, the Cyber Caliphate Army claimed responsibility for a number of social media account takeovers, website defacements, and other activities.

Among those were the CENTCOM and Newsweek social media defacements, as well as attacks on sites of the city of Albuquerque and a TV station in Salisbury, Maryland, and the alleged theft of documents from the Tennessee Fusion Center—an intelligence clearing house for local, state, and federal law enforcement run by the Tennessee Bureau of Investigations. The Fusion Center breach allegedly exposed “For Official Use Only” and law enforcement sensitive documents, but these documents may have come from hacked e-mail accounts on Fusion Center mailing lists.

Hussain used his connections to the hacker world in an attempt to bolster ISIS’ otherwise limited cyber capabilities. But aside from a data dump on August 11, 2015 allegedly containing the addresses and contact information for more than 1,500 US service members by the “Islamic State Hacking Division”—actually acquired from a hacker in Kosovo—Hussain appears to have been unsuccessful in bringing any of his contacts from his TeaMp0isonN days to ISIS’ cause.

Off-the-shelf hacks

The activities of ISIS “cyber” groups after Hussain’s death have been limited to those typical of small groups of “hacktivists”: indiscriminate Web defacements, claims of bigger hacks that appear to be based on the work of others, and claims of responsibility for unscheduled system outages.

Rabitat Al-Ansar (League of Supporters), a wing of ISIS’ Media Front propaganda collective, claimed to have stolen “American Visa and MasterCard” data in July of 2015—but the data appeared to have been obtained from previous breaches off a “carder” forum. Another purported ISIS hacking group, the Sons Caliphate Army, claimed to be behind a Twitter outage in February 2016.

The April “formation” of the United Cyber Caliphate from four other ISIS hacking “brands”—the Sons Caliphate Army, the Caliphate Cyber Army, and groups called the Ghost Caliphate Section and Kalashnikov E-Security Team—may be part of an effort to simplify ISIS hacker recruitment efforts in the wake of Hussain’s death. Leveraging publicly available hacker tools—“malware as a service” exploit sites, and other tools and services ISIS can buy off hacker forums such as the jihad-focused Gaza Hacker Web—the UCC could bolt together some attacks capable of creating a bit more propaganda for ISIS and causing damage to “soft” targets.

But it’s unlikely that UCC will be able to counter attacks launched against ISIS by US Cyber Command, the National Security Agency, and other allied nations’ military and intelligence agencies in any meaningful way. And given the questionable nature of some of the claimed successes of its components, combining them may result in more posturing than actual hacking.